Legislation and spyware
Before legislators (e.g., the FTC) can issue a regulation prohibiting a behavior or act, they must define that behavior and act. Many security professionals and attorneys worry that defining the behaviors and acts that constitute spam and spyware will provide "operating space" for spammers, trackers, pests, and spies. Specifically, if we define what constitutes inappropriate (sneaky) commercial applications of software delivery; secret information collection (tracking); and what Steve DelBianco aptly calls resisting removal behavior in software, we also define a sandbox in which developers can create intrusive applications that look and feel like spyware, and cookies that track user behavior, but operate within the definition of the law.
As DelBianco correctly asserts in his column, spyware is the quintessential 21st century bad business practice. He speculates, and I concur, that additional legislation may do more harm, where enforcement of existing laws prohibiting unfair and deceptive business practices may do more good. Bad business behavior is bad whether in the virtual or real world.
In the real world, we invite and consent to the installation of satellite dishes, cable TV and telephone connections and wiring in our homes and offices. We consent to security monitoring by a certified alarm company. Most of us would be outraged to find that surveillance cameras, recording devices, and microphones to collect information regarding our lifestyles would accompany the installation of any of these services. We expect to maintain control over who comes and goes in our homes and offices, and what they do while they are present on our property. It's not unreasonable for us to seek the same control over our computers, handhelds, and mobile phones. Spyware strips us of such controls.
The issue runs deeper than whether a cookie or music player application records the web pages I've visited and music I choose. It's a matter of trust versus violation of trust. Distinguishing spyware from adware from acceptable cookie and tracking ware isn't nearly so much a matter of technology as it is of trust.
I believe that legitimate adware, supportware, cookie, and tracking technology should provide:
- notice of installation;
- a description of all the activities it will perform and anticipated resource utilization;
- a description of the kinds of advertisements it will display, and manner of display;
- full disclosure of any information it will collect, the purpose of collection, and the parties to whom the information will be disclosed;
- a local log function that provides the user with the means to corroborate these claims; and
- a clean, non-resistant removal procedure.
Most importantly, all software should have opt-in installation and features selection facilities.
For example, a good business offers a free version of a media player with the following conditions stated during installation: (1) the user accepts entertainment-oriented ads; (2) the user agrees to the company gathering information limited to music titles and artists, movie titles, directors, producers, and actors, and play frequency; and (3) the company is permitted to sell this information, along with the user's name and address, to entertainment companies for the purpose of direct advertising. If the user declines (opts out), the media player will not install unless the user pays for and registers the product. The company gets something from you, and you get a media player from the company.
Notice that the music player is not "free"; it's using your CPU, memory, and bandwidth to profit by information it collects and ads it presents to you. Consider this real world analogy, illustrating a bad business practice. You purchase aspirin at Jocko's drug store, and have it delivered. Jocko's delivery van arrives, and three workers mount a neon "End Erectile Dysfunction now: buy vi@gr@ at Jocko's Drugstore" sign on your bedroom window, then use your electricity to power the darn thing. Meanwhile, Jocko's delivery boy rifles through your medicine cabinet, recording all your prescriptions. This is an unacceptable business practice. Many spywarez operate in exactly this manner. In the real world, we'd contact the Better Business Bureau or perhaps the police, and haul Jocko to court. We'd take advantage of existing laws and similar codes of practice enforced in countries throughout the world to hold Jocko accountable for unfair and deceptive business practices.
Before we begin writing new laws for spyware, let's see how much of the spyware cesspool we can clean up applying the laws we already have.
Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID256
by Dave Piscitello